Roger Halbheer on Security » Incidents

What Microsoft can teach Apple about security response

Roger Halbheer — Wed, 09 May 2012 14:01:41 +0000

I guess, I do not have to comment this – right?

What Microsoft can teach Apple about security response

To quote the summary:

Microsoft just released seven security updates to fix 23 vulnerabilities in Windows and other products. In February, Apple released a massive update that covered 51 vulnerabilities and also introduced an embarrassing security flaw. The contrast is striking.

Roger

Build your own sniffing kit

Roger Halbheer — Tue, 24 Apr 2012 09:06:03 +0000

When people look at attackers, they always think that they are extremely smart people. There are really smart people building the kits but the ones applying it? Well, you just need the right guidance:

Hacker’s Tiny Spy Computer Cracks Corporate Networks, Fits In An Altoid Tin

Fairly easy, isn’t it?

Roger

Council of Europe Octopus Conference- Some Thoughts

Roger Halbheer — Wed, 23 Nov 2011 11:21:49 +0000

l am still sitting in the parliament room of the Council of Europe at the celebration event for the Budapest Convention. It was another very good event advancing the challenges fighting Cybercrime. Let me try to summarize a few thoughts:

The Budapest Convention is probably the best convention out there allowing a wide adoption of a harmonized legislation to fight Cybercrime internationally.
A lot of countries outside the Council adopted or are in the process adopting the convention
It balances the fight against criminals with the protection of Privacy and Human Rights.
The willingness and the activities to collaborate internationally increase
The idea of the Cybersecurity Agenda as a mechanism to land and integrate Cybercrime and Cyberscurity resonated extremely well

A lot of good signs. There are some caveats however:

There are countries rejecting adoption mainly because Council of Europe does not have a global mandate or because it is called Budapest Convention. I guess the criminals like this approach
The economical challenges esp. in Europe decreases the amount of money available for this. The call then was, that the private sector has to do more. We are committed continuing supporting these activities but typically if governments are financially challenged- well they are our customers as well
Where is the private sector? I just meet a few companies at these events: Some security vendors, some credit cad companies and us. Where are the others? Where is Google? Where is Apple? What about IBM? Amazon? The big Telcos? Why do they not participate in addressing crime and helping governments to get better and carry the burden? Do they not care?

Roger

VeriSign to Take Down Malware Sites?

Roger Halbheer — Wed, 12 Oct 2011 07:47:53 +0000

This is actually an interesting approach: VeriSign Proposes Takedown Procedures and Malware Scanning for .Com. This leads to the discussion I have so often: What is more important? The single website or the greater good? Now, do not get me wrong: I see the risks of VeriSign taking down microsoft.com because a blog hosted there spreads malware or facebook.com because somebody was able to host malware. It might even lead to competitive challenges. I completely get this and the processes linked to it have to be clear, transparent and need a dispute resolution before the takedown. But I guess that VeriSign gets this as well.

The reactions in the comments are worth reading as well…

Roger

Hackers using QR Codes to Push Malware

Roger Halbheer — Mon, 03 Oct 2011 06:33:52 +0000

Always something new… As these kinds of codes are mainly used on mobile phones (or only used on mobile phones) the malware actually addresses smartphones “only” – in this case Android: Hackers using QR codes to push Android malware. If you use a code such as this (source: ZDnet Article referenced):

You will be redirected to a website hosting the malware.

How often do you use these codes? I am using the gettag below since quite a while and get quite some click-through but personally I am not using them too often.

Anyway: Another attack vector to trick users into doing something they do not want.

Roger

Update on DigiNotar

Roger Halbheer — Sun, 04 Sep 2011 08:18:40 +0000

And interesting development tonight: Based on what happened with DigiNotar recently (especially with the false certificates for *.google.com), the Dutch government decided to have an official statement and in there to take over operations of the CA. The official statement (in Dutch) can be found here.

The key problem is that the certs were used to spy on people by impersonating the Google website. This is a significant issue. I think the key problem is not “only” the certs, which are known to be fraudulent (and this is the context you have to put my earlier statements in) but the question is much more how many certs are fraudulent without us knowing.

I will keep you posted

The DigiNotar Story–So Far

Roger Halbheer — Fri, 02 Sep 2011 07:38:38 +0000

I just read an article on SANS: DigiNotar breach – the story so far. To be clear: This is not a Microsoft analysis nor any official statement from us. What we have to say is in the advisory: Microsoft Security Advisory (2607712) – Fraudulent Digital Certificates Could Allow Spoofing. It just gives an interesting overview of what happens.

What strikes me is the following fact: In the digital world a 99.9% security that a certificate can be trusted seems not to be enough – we need 100%. If we look at the physical world, we are completely different. I have a Swiss passport, which is highly regarded as a trusted document everywhere I traveled so far. It is well-known that it is an interesting target as well to create fake Swiss passports because it is well-trusted. We all know that a certain amount of passports are faked out there but we still trust them without even thinking twice (except if you work at immigration) for banking, health, whatever. I still try to understand, where the difference comes from. Why is this the case?

Roger

Special Intelligence Report on the Rustock Takedown

Roger Halbheer — Wed, 06 Jul 2011 07:27:38 +0000

As you might remember, on Match 16th Microsoft together with other industry players was successfully able to take down the Rustock botnet and thus significantly reducing the spam level.

We now just published a special Intelligence Report on this botnet:

Read an overview of the Win32/Rustock family of rootkit-enabled backdoor Trojans background, functionality, how it works, and threat telemetry data with analysis for 2010 to May 2011. This document provides legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

You will find it here.

Roger

Microsoft Security Update Guide, Second Edition

Roger Halbheer — Mon, 28 Mar 2011 15:32:40 +0000

A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes:

Get to know the security update release process
Learn how to evaluate risk
See how to mitigate security risks
Understand how quickly you need to apply updates
Assess your update
Get ongoing security

If you are somehow linked to the security update process in your organization, you should download it and look at it here: Microsoft Security Update Guide, Second Edition

Roger

Effectiveness of SecureID reduced?

Roger Halbheer — Fri, 18 Mar 2011 16:01:06 +0000

It seems that RSA got attacked and might have lost some information. They actually took a really courageous step and went public and the Executive Chairman wrote an open letter. To quote:

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

and

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

Roger